CVE-2017-13020/VTP: Add some missing bounds checks.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s), modified
so the capture file won't be rejected as an invalid capture.

diff --git a/print-vtp.c b/print-vtp.c
index 285beb96ae6937695d954feda93be40dd3dc67a3..18c1356ef32504198b7a9d09a7b34fdd2e1e5aa3 100644 (file)
--- a/print-vtp.c
+++ b/print-vtp.c
@@ -223,6 +223,7 @@ vtp_print (netdissect_options *ndo,
         *
         */
 
+       ND_TCHECK_32BITS(tptr);
        ND_PRINT((ndo, ", Config Rev %x", EXTRACT_32BITS(tptr)));
 
        /*
@@ -243,6 +244,7 @@ vtp_print (netdissect_options *ndo,
        tptr += 4;
        while (tptr < (pptr+length)) {
 
+           ND_TCHECK_8BITS(tptr);
            len = *tptr;
            if (len == 0)
                break;

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 94237232889388c00b79b38c6bf459db6a27f178..6f5d3314d2cc4c1fffa95343c5e8447aa266d2c3 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -521,6 +521,7 @@ esis_snpa_asan-5    esis_snpa_asan-5.pcap           esis_snpa_asan-5.out    -v
 dhcp6_reconf_asan      dhcp6_reconf_asan.pcap          dhcp6_reconf_asan.out   -v
 pgm_opts_asan          pgm_opts_asan.pcap              pgm_opts_asan.out       -v
 pgm_opts_asan_2                pgm_opts_asan_2.pcap            pgm_opts_asan_2.out     -v
+vtp_asan               vtp_asan.pcap                   vtp_asan.out    -v
 
 # RTP tests
 # fuzzed pcap

diff --git a/tests/vtp_asan.out b/tests/vtp_asan.out
new file mode 100644 (file)
index 0000000..17b682b
--- /dev/null
+++ b/tests/vtp_asan.out
@@ -0,0 +1,6 @@
+FRF.16 Frag, seq 193, Flags [Begin, End], UI 08! VTPv69, Message Subset advertisement (0x02), length 2126400013
+       Domain name: , Seq number: 0[|vtp]
+[|mfr]
+[|mfr]
+[|mfr]
+[|mfr]

diff --git a/tests/vtp_asan.pcap b/tests/vtp_asan.pcap
new file mode 100644 (file)
index 0000000..515828a
Binary files /dev/null and b/tests/vtp_asan.pcap differ